|
All That JAAS
Pluggable authentication and authorization services provide many key security benefits for Java applications
by Kevin Jones
Posted June 7, 2004
The Java Authentication and Authorization Service (JAAS) was introduced during the lifetime of JDK 1.3. JAAS provides two services: authentication and authorization. The authentication service is pluggable, which means that an application can remain independent of the authentication techniques used, that authentication modules can be upgraded easily, and that an application can use multiple forms of authentication concurrently. Let's look at the authentication part of JAAS, and then we'll discuss authorization later.
JAAS is based on the Pluggable Authentication Modules (PAM) model. PAM is used widely in the Unix world. Pluggable authentication confers several benefits: it allows applications to provide for single sign-on across multiple security domains; it allows for easy upgrading of a given login module; it allows for other modules to be added as necessary without changing client code; and it allows for rules to be applied to each login module such that the result of one login may or may not effect the overall login process-that is, a module can be marked as optional or required.
In JAAS the login modules that an application uses are configured externally to that application. That configuration is made available to the application, which simply calls a single login method to perform the login (see Figure 1). Each module then gathers the necessary data to perform the login. So, how does this work?
Within an application, making use of JAAS for authentication is straightforward. The application creates a new LoginContext and calls its login method. The LoginContext is populated with a collection of LoginModules. The LoginModules to use are specified in a configuration file, which is passed to the application at startup. We'll see how this process works shortly. Each LoginModule is then executed as necessary, depending on the options in the configuration file.
JAAS Configuration
The JAAS configuration file is similar in layout to a Java security policy file. The file specifies the fully qualified classname of the login module to load along with a flag specifying the behavior as authentication proceeds. The format of this file is:
Application1 {
Class Flag Options;
Class Flag Options;
Class Flag Options;
};
Application2 {
Class Flag Options;
Class Flag Options;
};
other {
Class Flag Options;
Class Flag Options;
};
Application1 and so on is the named block referenced by the application when creating the LoginContext. Note that a given configuration file can contain more than one named block. The other block is a special application block that is consulted if the application name used in the Java code does not match any application name used in the configuration file.
Back to top
|